Support
Single Sign-On Providers

Configuring Okta Single Sign-On Integration with SAML

This document is for:
Invicti Enterprise On-Demand, Invicti Enterprise On-Premises

Okta is an identity and access management platform. Its single sign-on solution allows users to log into a variety of systems using one centralized process.

  • Using Security Assertion Markup Language (SAML), a user can use their managed account credentials to sign in to enterprise cloud applications via Single Sign-On (SSO). An Identity Provider (IdP) service provides administrators with a single place to manage all users and cloud applications. 
  • You don’t have to manage individual user IDs and passwords tied to individual cloud applications for each of your users. An IdP service provides your users with a unified sign-on across all their enterprise cloud applications. Invicti Enterprise supports the SAML methods of both IdP-initiated and SP-initiated.
  • You can also create a new user in Invicti Enterprise using the Enable Auto Provisioning option.

If you encounter any problem while setting up SSO integration, see Troubleshooting SSO Issues.

You have to use IdP-initiated SSO if you want to utilize Auto Provisioning.
If you will use SP-initiated SSO, please set the Name ID Format value to email address on the IdP side.


Single Sign-On Fields

This table lists and explains the Single Sign-On fields on the Configure Single Sign-On page.

FieldDescription
EnableSelect this option to enable the single sign-on feature.
Enforce to authenticate only with single sign-onEnable this option so only administrator users can authenticate without single sign-on. Users can only sign in to Invicti Enterprise by using the email address that belongs to their employer.
IdP IdentifierThis is the SAML identity provider’s Identifier value.
SAML 2.0 Service URLThis is the Consumer URL value (also called the SSO Endpoint or Recipient URL).
SAML 2.0 EndpointThis is the URL from your IdP’s SSO Endpoint field.
X.509 CertificateThis is the X.509 certificate value.
 How to add an application to Okta
  1. Log in to Okta.
  2. From the main menu, go to Applications > Applications > Create App Integration.
  3. From the Create a new app integration dialog, select SAML 2.0. Select Next.
  4. On the Create SAML Integration page, enter a friendly name in the App name field. (For this example, it is Invicti.)
  5. Select Next.
    1. From the Invicti Enterprise’s main menu, select Settings > Single Sign-On.
    2. Copy SAML 2.0 Service URL, switch to the Okta tab, and paste the URL into Single Sign on URL
    3. Copy Identifier, switch to the Okta tab, and paste the URL into Audience URI (SP Entity ID).
    4. To enable Enable Auto Provisioning for user creation in Invicti Enterprise, add the FirstName, LastName, and Phone Number (optional) fields in the Attribute Statements. To add the OnlySsoLogin attribute, see How to add the OnlySsoLogin attribute to Okta.
  6. On the Okta tab, select Next. The Feedback tab is displayed.
  7. Select Finish.
  8. From Okta’s main menu, select Applications > Invicti.
  9. Select the Sing On tab, and scroll down to see View Setup Instructions. Okta opens a new tab.
  10. From the new tab, do the following:
    1. Copy the URL from the Identity Provider Issuer, switch to the Invicti Enterprise tab, and paste the URL to the IdP Identifier field.
    2. Copy the URL from the Identity Provider Single Sign-On URL, switch to the Invicti Enterprise tab, and paste the URL to the SAML 2.0 Endpoint field.
    3. Copy the content from the X.509 Certificate field, switch to the Invicti Enterprise tab, and paste the URL to the X.509 Certificate field.
  11. On Invicti Enterprise’s Single Sign-On page, select one or all of the following options, if necessary:
    • Enable Auto Provisioning: If enabled, an account will be automatically created for IdP-registered users when they first access Invicti Enterprise. To do so, you must complete the FirstName, LastName, and Phone Number (optional) fields in the Attribute Statements on the IdP side. For further information about OnlySsoLogin, see Provisioning a member.
    • Require SAML assertions to be encrypted:If enabled, it prevents third parties from reading private data in transit from assertions. There are two options:
      • Generate a new certificate for me: Invicti generates a key pair. Invicti will keep a private key to decrypt received SAML messages and provide you with a certificate so that you can upload it on the IdP side. For further information about OnlySsoLogin, see Provisioning a member.
      • I have an existing certificate: You need to upload your certificate to Invicti by importing a decryption certificate from your files.
    • Use Alternate Login Email: If enabled, this lets users use alternative email for SSO. So, you can enter an alternative email on the New Member Invitation page and while editing the user’s details on the Team page.
  12. Select Save Changes

Invicti Enterprise informs you that the SSO configuration is saved.

How to add an application to Okta
  1. Log in to Okta.
  2. From the main menu, go to Directory > People > Add Person.
  3. On the Add Person dialog, fill out the form. 
  4. Select Save.
  5. From the main menu, select Applications > Applications.
  6. Select Invicti from the list.
  7. Select Assign > Assign to People.
  8. From the Assign Invicti to People dialog, select Assign next to the person you want to add.
  9. Select Save and Go Back.
  10. Select Done.

You assigned users to the application created. These users can log in to Invicti Enterprise via Okta.

How to add the OnlySsoLogin attribute to Okta
  1. Log in to Okta.
  2. From the main menu, select Directory > Profile Editor.
  3. Select the application you want.
  4. On the Profile Editor page, select + Add Attribute.
  5. On the Add Attribute page, do the following:
    1. From the Data Type drop-own, select boolean.
    2. Enter OnlySsoLogin to the Display name field.
    3. Enter OnlySsoLogin to the Variable name field.
    4. Select User Personal for the Scope.
  6. Select Save.
  7. From the main menu, go to Applications > Applications > Invicti.
  8. Select General
  9. Select Edit next to SAML Settings.
  10. On the Edit SAML Integration, select Next.
  11. On the Configure SAML step, select Add Another on the Attribute Statements (optional) step. Do the following:
    1. Enter OnlySsoLogin to the Name field.
    2. Enter appuser.OnlySsoLogin to the Value field.
  12. Select Next.
  13. On the Feedback page, select Finish.